Hacking
Advanced Tutorial: Man in the Middle Attack Using SSL Strip – Our Definitive Guide
We got a lot of great feedback from our first Man in the Middle Video so we decided to double-down and give you guys some really juicy MitM demos and analysis. Our Ethical Hacking students have been really excited about this one during classes, so I wanted to share some of the good stuff here.
This one shows how to use SSLStrip with a MitM attack. We first give a demo of the attack and in the next two videos you can really gain an understanding and the practical knowledge of how it functions.
If you want to follow along, everything is really within BackTrack4, but the individual tools/techniques/software you’ll need are:
This is freaking awesome! I’d heard about being able to do this, but this is the first time I’ve ever seen it proven. Keatron I’m in Chicago. Do you do classes here?
‘@Aaron. Yes we do classes in Chicago all the time after all we’re based in the area! What type of class are you looking for? You can start by looking at our course catalog, then come back here and discuss.
http://www.infosecinstitute.com/request_course_catalog.html
Just came across your site/videos and I like them a lot; keep them up!!
So for the next video, can you show us how to detect that there is a man in the middle, or a security technique where a man can not get into the middle?
‘@Gary. No problem.
“So for the next video, can you show us how to detect that there is a man in the middle, or a security technique where a man can not get into the middle?”
+1
id like to see counter measure video if possible.
thx
‘@Pieface and Gary. Working on something for it guys. Thanks.
Why is the client redirected to HTTP instead of HTTPS? Will there be additional SSL warning pop-ups if the client keeps the SSL-session to the SSL Strip box, that decrypts it with the certificate that was presented and then establishes a new SSL-session to yahoo.com instead of redirecting the client to a HTTP-page? It would still be possible to capture the content and the client keeps the HTTPS url?
The way it works is it picks out HTTP traffic from port 80 and then packet forwards onto a different port (10,000 in this case).
SSLStrip is at the same time listening on that port and removes the SSL connection before passing it back to the user.
Ettercap then picks out the username & password.
Yes, there would be an additional SSL warning that says this certificate cannot be validated or something of that nature. Whether or not the victim gets that message depends on the browser they’re using, how the browser is configured, etc. Using this method takes that possibility out of the equation completely.
I don’t think this information is completely correct. SSLStrip does not certificate chain by signing a valid certificate from a leaf certificate. It just redirects a https to an http thus removing the need for certificates, at least for the client to mitm session. Everything else appears correct. The automatic leaf signing use to be done by sslsniff, however, that doesn’t work any more since nowadays most browsers check the basicconstraints which verify the entire chain. Correct me if I am wrong. The guy who created sslstrip has a great explaination in his blackhat 2009 whitepaper.
i might have to take a trip to Chi for a class…im at ITT and im learning this aswell…very interesting and great video!
great video so you do classes what about online ?
I think this is fantastic. I’ve been getting Cisco certifications and am relatively new to the network security realm. I wanted to thankyou for spending the time to compile this site; and wanted to ask you how long you have been researching and experimenting with pen testing to become so good.
‘@DJ. I’ve been experimenting since I was 13 or 14. Been doing this professionally about 14 years.
‘@Ronnie. Check out our online courseware offerings. Just go to our main website www dot infosecinstitute dot c0m then select the online courses link.
hi, i tried everything in this post, even tried different posts but i cant get the sslstrip program to capture anything, it runs fine, i have set my iptables and ports, arpspoof’s working and i also use ettercap, but when i get to the point of actually getting the packets i get nothing, i just get this:
“sslstrip 0.9 by Moxie Marlinspike running…”
and it doesnt capture anything. Any ideas??? Im using backtrack 5.
hello sir.. i was thinking.. how could you then bring back the original settings of the IPtables after you have stop doing all the MITM attack thing.. will it auto set it self to default after you stop doing the MITM attack.. thanks please response..
‘@Amnesiac : you have to check on the file “ssstrip.log”.. try typing “tail -f sslstrip.log” in the terminal
performed the steps exactly as mentioned. But the response to
#arpspoof -t 192.168.196.129 192.168.196.2
is
arpspoof: couldn’t arp for host 192.168.196.129
also i m using ubuntu and there is no file etter.conf in path mentioned so cudn’t modify that too.
To the people having trouble: The most obvious reason of why is because this video should have been trashed and redone, there are so many mistakes, breeze-overs of important aspects, and not to mention the authentication attempts he makes in the video aren’t even using SSL!! just HTTP, you can even see this in his ettercap output near the end.
I will make a video that clearly documents how to edit your etter.conf file (btw, ananya it should be located at /etc/etter.conf if it isn’t there I would re-configure ettercap via dpkg) how to add (and REMOVE) needed changes to IPTABLES, as well as show you how to write these steps into a script using variables for your target, instead of having 9 term-emus open.
Ananya, make sure you can actually ping the target ip’s. Usually when you can’t arp them it’s because you can’t communicate with them.
Kyubi, you can comment out the rule you added. You can also remove it by entering the exact command again, but add the -D option. You can also do iptables -L -n -v –line to see a list of rules. Then once you find the line you added, enter iptables -D (number of the line which is your rules).
Hey this is awesome man. Keep up the good work. Wonderfull
Keatron
Excellent video. I have been trying to conduct this on my own but I have no luck finding arp spoof on the net. The one that I found was a rar file. I am not sure on how to load that successfully. Can you advs.
Richard Arnold
Is there a workaround if we don’t have a trusted certificate to issue leaves from?
Hi Keatron – or anyone that can answer. Very nice videos, but I don’t quite understand one of the steps in the EXPLANATION OF HOW IT WORKS PART 1: video. I understand certificate chaining, but why would the client accept a certificate for e.g. google.com.infosecinstitute.com when it wants to get to google.com? So even if SSLstrip issues a fake valid certificate, why would it get accepted when the name doesn’t exactly match? Even if the browser’s set up to match & accept *.google.com – it’d still have to END in google.com and have google.com as the top-level domain, no? what am I missing, why is the certificate accepted from the MITM? thanks a lot
Ah, I just saw one of your other comments – maybe the certificate ISN’T automatically accepted by the client, the method relies on the client just clicking through OK and not worrying about warning messages about the certificate? correct?
Hello keatron, i want to study your class for Backtrack 5 . can i study from internet?